Skip to content

Extension Login Security

Endpoint security is the third line of defense in a multi-layered security strategy: it guards individual extension accounts against fraudsters who try to register or sign in without permission. Cloud Voice ships with lockout rules that watch login attempts on SIP (Session Initiation Protocol) extensions out of the box, and you can strengthen protection further with single sign-on (SSO), two-factor authentication (2FA), login QR codes and links, password policies, and user roles. The sections below walk through each option.

Lock out accounts after failed login attempts

Section titled “Lock out accounts after failed login attempts”

Cloud Voice enforces an account lockout policy on both the PBX (Private Branch Exchange) web portal and the Cloud Voice App:

  • When an IP address hits the configured number of failed attempts inside a set time window, the system temporarily refuses further attempts from that address.
  • When an IP address reaches the maximum number of failed attempts, it is banned permanently. Cloud Voice blocks the address, lists it under Blocked IPs, and sends a Web User Blocked Out or Cloud Voice App User Blocked Out notification to the contacts you designate.

So that someone is alerted whenever an address is blocked, turn on the relevant event notifications and add recipients.

  1. Go to System > Event Notification.

  2. On the Event Type tab, enable the Web User Blocked Out and Cloud Voice App User Blocked Out notifications.

    Cloud Voice, event type list with the blocked-out login notifications switched on

  3. On the Notification Contacts tab, add the people who should receive these alerts.

    Notification contacts panel with recipients added for security events

Once an alert arrives, review the specifics in the web portal under Security > Security Rules > Blocked IPs.

List of blocked IP addresses with the reason and timestamp for each block

Use single sign-on for third-party authentication

Section titled “Use single sign-on for third-party authentication”

Connecting Cloud Voice to Microsoft 365, Google Workspace, or Red Hat SSO lets users sign in to the Cloud Voice App with their existing Microsoft, Google, or Red Hat credentials. This removes the burden of managing yet another password and inherits the security controls already enforced on those third-party accounts.

Cloud Voice, sign-in screen offering third-party single sign-on options

  • Microsoft 365: Integrate Cloud Voice with Microsoft Entra ID (Azure Active Directory) or Active Directory, then enable SSO. Refer to the Microsoft Entra ID and Active Directory integration guides for the setup steps.
  • Google Workspace: Integrate Cloud Voice with Google Workspace, then enable SSO. Refer to the Google Workspace integration guide for the setup steps.
  • Red Hat: Integrate Cloud Voice with Red Hat SSO, then enable SSO. Refer to the Red Hat SSO integration guide for the setup steps.

Two-factor authentication (2FA) adds a second checkpoint to every login. Besides the account password (the first factor), the user must supply a one-time code delivered to a designated device (the second factor).

Cloud Voice, login prompt requesting a two-factor authentication code

To force every extension user through 2FA:

  1. Go to Security > Security Settings > Security Options.

  2. In the Two-Factor Authentication section, select Make Two-Factor Authentication Mandatory for All Extensions.

    Security options with the mandatory two-factor authentication checkbox selected

  3. Click Save, then Apply.

Section titled “Offer passwordless login with a QR code or link”

Login QR codes and links are a safer alternative to typing a password into the Cloud Voice App: each credential is encrypted and can be used only once. There are two ways to hand them out.

  1. Go to Extension and Trunk > Extension and edit the extension you want.

  2. On the Cloud Voice App tab, click Login QR Code or Login Link to copy the credential, then send it to the user.

    Cloud Voice, extension settings showing the login QR code and link buttons

Section titled “Send codes or links to several users at once”
  1. Go to Extension and Trunk > Extension.

  2. Select the extensions you want, then click Welcome Email.

    Cloud Voice, extension list with multiple extensions selected and the welcome email action

Weak passwords are an easy target for attackers. Close that gap by setting system-wide password requirements and giving each extension a strong password.

  1. Go to Security > Security Settings > Security Options.

  2. In the Extension Password Rules section, set the minimum password length and the number of previous passwords that cannot be reused.

    Extension password rules defining minimum length and password reuse limits

  3. Click Save, then Apply.

  1. Go to Extension and Trunk > Extension and edit the extension you want.

  2. In the User Information section, enter a strong user password.

    User information form with a strong password entered for the extension

  3. Click Save, then Apply.

Role-based access control grants or restricts administrative permissions according to a person’s job. Each user gets exactly the privileges their work requires, which limits the chance of an unauthorized user reaching sensitive data or performing actions they should not.

Cloud Voice includes these built-in roles: Super Administrator, Administrator, Supervisor, Operator, Employee, Human Resource, Accounting, and Hotel Manager. Assign a built-in role as is, or build a custom role with precisely the permissions you want.

  1. Go to Extension and Trunk > Role.

  2. Click Add to define a role from scratch, or Copy Role to start from an existing role and adjust it.

    Role management page with options to add a new role or copy an existing one

  1. Go to Extension and Trunk > Extension and edit the extension you want.

  2. In the User Information section, pick a role from the User Role drop-down list.

    Extension user information with a role chosen from the user role drop-down

  3. Click Save, then Apply.